PT-2026-5137 · Unknown · Egroupware
Lukasz-Rybak
·
Published
2026-01-28
·
Updated
2026-02-19
·
CVE-2026-22243
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EGroupware versions prior to 23.1.20260113
EGroupware versions prior to 26.0.20260113
Description
EGroupware is a web-based groupware server written in PHP. A SQL Injection issue exists in the core components of EGroupware, specifically in the
Nextmatch filter processing. Authenticated attackers can inject arbitrary SQL commands into the WHERE clause of database queries. This is possible due to a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is int() security check. The vulnerable component is the Nextmatch filter.Recommendations
Update EGroupware to version 23.1.20260113 or later.
Update EGroupware to version 26.0.20260113 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Egroupware